United States · HIPAA Privacy Rule
Run HIPAA access, amendment, and breach notices in one platform
For public-sector covered entities — public hospitals, county and state health departments, and Medicaid agencies — AccessPoint manages the individual right of access to protected health information, amendment requests, and breach notification, inside your own Microsoft 365 tenant.
United States — HIPAA at a glance
- Access deadline
- 30 calendar days, with one 30-day extension (45 CFR 164.524)
- Access fee
- A reasonable, cost-based fee only
- Amendment deadline
- 60 days to act, with one 30-day extension (45 CFR 164.526)
- Breach notification
- Without unreasonable delay, no later than 60 calendar days (45 CFR 164.404)
- Oversight
- HHS Office for Civil Rights (civil money penalties)
- Languages
- English
Built for United States — HIPAA
One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.
Right-of-access requests
Run an individual's access to their PHI on the 30-day clock, with the single 30-day extension, the requested form and format where readily producible, and a reasonable cost-based fee, all built on Microsoft 365.
Amendment requests
Manage 164.526 amendment requests end to end — the 60-day clock, the grounds for denial, the individual's statement of disagreement, and the entity's rebuttal, all recorded.
Breach notification
Log a breach of unsecured PHI, run the risk assessment, and get a live checklist of who must be notified — affected individuals, the HHS Secretary, and the media — and by when.
Designated record set and minimum necessary
Scope each request to the designated record set and apply minimum-necessary handling, with every access and disclosure logged.
Built for OCR scrutiny
Access is one of OCR's most-enforced provisions — every request carries a timestamped trail and a defensible record if a complaint is filed.
In your own tenant
Protected health information stays inside your own Microsoft 365 and Azure tenant — no third-party cloud, no vendor access to PHI, no cross-border transfers.
The Right of Access Initiative
OCR made the right of access an enforcement priority. Miss the 30-day clock and it's a finding.
The individual right of access under 45 CFR 164.524 is one of the most actively enforced provisions in HIPAA. Since 2019 the HHS Office for Civil Rights has resolved dozens of cases under its Right of Access Initiative — most turning on a covered entity that took too long, charged too much, or never produced the record. The rule is specific: act within 30 days, take at most one 30-day extension, provide the copy in the form and format the individual asked for where readily producible, and charge only a reasonable, cost-based fee. AccessPoint runs each access request on that clock, with the fee basis, the delivery format, and the full trail an OCR investigator would expect — so a routine request never becomes a settlement.
Configured out of the box
Installing the us-hipaa configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.
Related guide: FOI Workflow Quick Check- The HIPAA Privacy Rule access (164.524) and amendment (164.526) rights as the workflow spine
- The 30-day access clock with the single 30-day extension and calendar-day math
- Designated-record-set scoping and minimum-necessary handling
- Reasonable cost-based fee calculation and itemization
- Section 164.526 amendment grounds, denials, and statement-of-disagreement handling
- The Breach Notification Rule (164.400–414) risk assessment and notification checklists
- Individual, HHS Secretary, and media notification templates with their deadlines
- A timestamped audit trail built for OCR investigations
United States — HIPAA Questions
Who is this HIPAA configuration for?
How long do we have to respond to a right-of-access request?
Does it handle amendment requests and breach notification?
Where does protected health information reside?
Run HIPAA Access, Amendment, and Breach in One Platform
Try AccessPoint free for 30 days, configured for HIPAA covered entities. No credit card required.
Start Free Trial